Re: RACF and public keys

[Tracy Adams]

Awesome, thanks for sharing in advance.  

We did get the key to work finally... it was a permissions issue!  Thanks all!!!

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Kirk Wolf
Sent: Thursday, March 02, 2017 10:01 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF and public keys

FYI, we will be presenting a SHARE session next week on this subject:

*Finding the Needle in a Haystack - Diagnosing Common OpenSSH Problems*

   - Room: Blossom Hill I,II
   - Session Number: 20125

Thursday, March 09, 2017: 10:00 AM - 11:00 AM

http://events.share.org/Winter2017/Public/SessionDetails.aspx?FromPage=Sessions.aspx=1900=20


For this particular issue (file permissions), see slide 45 of the presentation

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Mar 1, 2017 at 2:29 PM, Paul Gilmartin < 
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Wed, 1 Mar 2017 13:00:08 -0700, Jack J. Woehr wrote:
>
> >Mark Post wrote:
> >> If you don't mind them accessing your system in this way (I have 
> >> severe
> doubts about that), just put the key as-is into the target userid's 
> .ssh/authorized_keys file and have them give it a try.
> >
> >And make sure the dir .ssh is chmod 700 and the authorized_keys file 
> >is
> chmod 600 or it won't work.
> >
> I believe .ssh chmod 711 works and I find it convenient for co-workers 
> to add me to their public_keys file.  But I keep my authorized_keys 
> file 600 rather than 644 -- no need to support browsing.
>
> and (grand*)parent directories  must not be writeable by anyone except 
> owner.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF and public keys

[Kirk Wolf]

FYI, we will be presenting a SHARE session next week on this subject:

*Finding the Needle in a Haystack - Diagnosing Common OpenSSH Problems*

   - Room: Blossom Hill I,II
   - Session Number: 20125

Thursday, March 09, 2017: 10:00 AM - 11:00 AM

http://events.share.org/Winter2017/Public/SessionDetails.aspx?FromPage=Sessions.aspx=1900=20


For this particular issue (file permissions), see slide 45 of the
presentation

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Mar 1, 2017 at 2:29 PM, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Wed, 1 Mar 2017 13:00:08 -0700, Jack J. Woehr wrote:
>
> >Mark Post wrote:
> >> If you don't mind them accessing your system in this way (I have severe
> doubts about that), just put the key as-is into the target userid's
> .ssh/authorized_keys file and have them give it a try.
> >
> >And make sure the dir .ssh is chmod 700 and the authorized_keys file is
> chmod 600 or it won't work.
> >
> I believe .ssh chmod 711 works and I find it convenient for co-workers to
> add me to their public_keys file.  But I keep my authorized_keys file 600
> rather than 644 -- no need to support browsing.
>
> and (grand*)parent directories  must not be writeable by anyone except
> owner.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF and public keys

[Paul Gilmartin]

On Wed, 1 Mar 2017 13:00:08 -0700, Jack J. Woehr wrote:

>Mark Post wrote:
>> If you don't mind them accessing your system in this way (I have severe 
>> doubts about that), just put the key as-is into the target userid's 
>> .ssh/authorized_keys file and have them give it a try.
>
>And make sure the dir .ssh is chmod 700 and the authorized_keys file is chmod 
>600 or it won't work.
>
I believe .ssh chmod 711 works and I find it convenient for co-workers to
add me to their public_keys file.  But I keep my authorized_keys file 600
rather than 644 -- no need to support browsing.

and (grand*)parent directories  must not be writeable by anyone except owner.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF and public keys

[Jack J. Woehr]

Mark Post wrote:

If you don't mind them accessing your system in this way (I have severe doubts 
about that), just put the key as-is into the target userid's 
.ssh/authorized_keys file and have them give it a try.


And make sure the dir .ssh is chmod 700 and the authorized_keys file is chmod 
600 or it won't work.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF and public keys

[Tracy Adams]

Thanks Mark and Allan!

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mark Post
Sent: Wednesday, March 01, 2017 2:41 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF and public keys

>>> On 3/1/2017 at 02:04 PM, Tracy Adams <tad...@fbbrands.com> wrote: 
> I have a vendor that sent me a "public" key so they can SFTP into our 
> mainframe from a Linux box without have to supply the RACF password.  
> Yes they can sign in with a password and all works fine.  I am new to 
> RACF and loading keys and the whole SFTP / ssh thing so bear with me!
> 
> When I look at the key provided it starts off with this "ssh-rsa 
> B3NzaC1yc2EBI"  The doc I have found from Dovetail for 
> Co:z indicates to get the .pub file into a MVS dataset in "text" 
> format then do a RACDCERT ADD command and then point to the RACF 
> keyring in $HOME/.ssh/authorized_keys.  The RACDCERT command fails 
> indicating "The input data set does not contain a valid certificate." 
> And the DEBUG option provides no additional information.
> 
> I am thinking I must have done something wrong getting the file from 
> Windows email to the mainframe...  I simply used SFTP to move it from 
> c:\temp and I have tried both ASCII (looks good) and BINARY (looks binary).
> 
> Is the .pub file simple in the wrong format for RACF and needs to be 
> converted?

I'm pretty sure the public key they provided you was not intended to be used in 
conjunction with RACF (or any other ESM).  That looks like a "plain old ssh" 
public key.

If you don't mind them accessing your system in this way (I have severe doubts 
about that), just put the key as-is into the target userid's 
.ssh/authorized_keys file and have them give it a try.


Mark Post

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF and public keys

[Mark Post]

>>> On 3/1/2017 at 02:04 PM, Tracy Adams  wrote: 
> I have a vendor that sent me a "public" key so they can SFTP into our 
> mainframe from a Linux box without have to supply the RACF password.  Yes 
> they can sign in with a password and all works fine.  I am new to RACF and 
> loading keys and the whole SFTP / ssh thing so bear with me!
> 
> When I look at the key provided it starts off with this "ssh-rsa 
> B3NzaC1yc2EBI"  The doc I have found from Dovetail for Co:z 
> indicates to get the .pub file into a MVS dataset in "text" format then do a 
> RACDCERT ADD command and then point to the RACF keyring in 
> $HOME/.ssh/authorized_keys.  The RACDCERT command fails indicating "The input 
> data set does not contain a valid certificate." And the DEBUG option provides 
> no additional information.  
> 
> I am thinking I must have done something wrong getting the file from Windows 
> email to the mainframe...  I simply used SFTP to move it from c:\temp and I 
> have tried both ASCII (looks good) and BINARY (looks binary).
> 
> Is the .pub file simple in the wrong format for RACF and needs to be 
> converted?

I'm pretty sure the public key they provided you was not intended to be used in 
conjunction with RACF (or any other ESM).  That looks like a "plain old ssh" 
public key.

If you don't mind them accessing your system in this way (I have severe doubts 
about that), just put the key as-is into the target userid's 
.ssh/authorized_keys file and have them give it a try.


Mark Post

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF and public keys

[Allan Staller]

The ".pub" file represents the public key and is simply an ASCII text file. It 
should be transferred as a text file.

It needs to eventually end up in /"userid"/ssh/authorizedkeys (not sure of the 
spelling, it's in the doc) for the "userid" being used on the MF side.
Beware. The permissions must be set appropriately or SFTP simply will not 
function.

RACDCERT in the context of SFTP is used as  a "container" to hold a 
public/private key pair. This is a different context than RACDCERT for the 
"e-commerce" market.
Since you don't have a private key involved, this is overkill. 

For a great overview see http://www.dovetail.com/webinars.html

In particular " IBM Ported Tools for z/OS: OpenSSH - Using Key Rings"
And 
IBM Ported Tools for z/OS: OpenSSH - Key Authentication

HTH,

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tracy Adams
Sent: Wednesday, March 1, 2017 1:04 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: RACF and public keys

I have a vendor that sent me a "public" key so they can SFTP into our mainframe 
from a Linux box without have to supply the RACF password.  Yes they can sign 
in with a password and all works fine.  I am new to RACF and loading keys and 
the whole SFTP / ssh thing so bear with me!

When I look at the key provided it starts off with this "ssh-rsa 
B3NzaC1yc2EBI"  The doc I have found from Dovetail for Co:z 
indicates to get the .pub file into a MVS dataset in "text" format then do a 
RACDCERT ADD command and then point to the RACF keyring in 
$HOME/.ssh/authorized_keys.  The RACDCERT command fails indicating "The input 
data set does not contain a valid certificate." And the DEBUG option provides 
no additional information.  

I am thinking I must have done something wrong getting the file from Windows 
email to the mainframe...  I simply used SFTP to move it from c:\temp and I 
have tried both ASCII (looks good) and BINARY (looks binary).

Is the .pub file simple in the wrong format for RACF and needs to be converted?

Any help would be greatly appreciated!

Tracy

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


::DISCLAIMER::


The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only.
E-mail transmission is not guaranteed to be secure or error-free as information 
could be intercepted, corrupted,
lost, destroyed, arrive late or incomplete, or may contain viruses in 
transmission. The e mail and its contents
(with or without referred errors) shall therefore not attach any liability on 
the originator or HCL or its affiliates.
Views or opinions, if any, presented in this email are solely those of the 
author and may not necessarily reflect the
views or opinions of HCL or its affiliates. Any form of reproduction, 
dissemination, copying, disclosure, modification,
distribution and / or publication of this message without the prior written 
consent of authorized representative of
HCL is strictly prohibited. If you have received this email in error please 
delete it and notify the sender immediately.
Before opening any email and/or attachments, please check them for viruses and 
other defects.




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

RACF and public keys

[Tracy Adams]

I have a vendor that sent me a "public" key so they can SFTP into our mainframe 
from a Linux box without have to supply the RACF password.  Yes they can sign 
in with a password and all works fine.  I am new to RACF and loading keys and 
the whole SFTP / ssh thing so bear with me!

When I look at the key provided it starts off with this "ssh-rsa 
B3NzaC1yc2EBI"  The doc I have found from Dovetail for Co:z 
indicates to get the .pub file into a MVS dataset in "text" format then do a 
RACDCERT ADD command and then point to the RACF keyring in 
$HOME/.ssh/authorized_keys.  The RACDCERT command fails indicating "The input 
data set does not contain a valid certificate." And the DEBUG option provides 
no additional information.  

I am thinking I must have done something wrong getting the file from Windows 
email to the mainframe...  I simply used SFTP to move it from c:\temp and I 
have tried both ASCII (looks good) and BINARY (looks binary).

Is the .pub file simple in the wrong format for RACF and needs to be converted?

Any help would be greatly appreciated!

Tracy

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN